GoPro cameras 'could be used to spy on owners'

A security firm has warned it is "too easy" for criminals to take control of GoPro cameras which could then be used to spy on their owners.

Pen Test Partners showed the BBC how it could gain access to a Hero4 camera that appeared to be turned off, to secretly watch or eavesdrop on users, or to view and delete existing videos.

The attack relied on victims setting simple passwords which could be guessed by software within seconds.

GoPro said its security was adequate.

Taking control

Ken Munro, a partner at Pen Test Partners, also said the way the cameras were set up meant that a wireless connection can unknowingly be left on after the power button on the device had been pressed to turn it off.

Image copyrightThinkstockImage caption
Turn off: Pressing the power button does not stop the device from being accessed wirelessly.

He showed how he could "wake" the device, turn off its recording lights, and then video-stream what the device could see to his own mobile phone.

Mr Munro said that in order to take control, a criminal would need to intercept and crack the encrypted Wi-fi key, which is set up by the user when they connect the camera to a mobile device such as a phone.

In his demo he captured the key using a laptop and some free specialist software.

'Sausages'

To make his point, Mr Munro then showed the BBC how his firm was able to use software freely available on the internet to guess the password a user might have set.

In this case the word "Sausages" was used as the password and the software guessed it in less than one minute.

The software tries thousands of possible passwords each second, using a dictionary of those known to be most commonly used.